But any senior executives breathing easier or planning to slash their cybersecurity budget - because they see this case as a sign that all hackers wear hoodies and live in their parents' basement, committing relatively minor infractions by gaming people's bad password choices - need to think again.

"My concern is that the less informed ... will use such examples to downplay the threat from organized crime gangs and nation-states."

"This [case] plays to so many stereotypes, I fear it will simply reinforce the public's view that nation-states are not a threat, but instead we should be worried about youths closeted in their parents' basement," says Alan Woodward, a professor of computer science at the University of Surrey.

"My concern is that the less informed, who don't want to spend money on what they see as ethereal defense, will use such examples to downplay the threat from organized crime gangs and nation-states," Woodward tells me. "The point is that this one got caught - the others tend not to. It's a case of real news contributing to confirmation bias for decision makers and legislators who do not really understand the threat landscape that is evolving."

Indeed, more advanced attackers - as in, ones who work to avoid detection by practicing better operational security - can exploit the same types of flaws allegedly targeted by the 20-year-old suspect for more malicious ends.

Young Hacker Problem: OPSEC Deficit

Compared to nation-state attackers or organized crime gangs operating online, security experts say young hackers are more likely to get caught.

In this case, a 20-year-old German national who's being tried in juvenile court and who has not been named by police confessed to the crime on Monday, saying he leaked the data via accounts using the handles "G0d" and "0rbit."

Police are being assisted by a 19-year-old German witness to whom the suspect reportedly bragged about his data leaks via the encrypted messaging app Telegram. Some news reports have said the suspect had used his own phone number to register for Telegram, making it child's play for police to identify him.

The suspect said he was self-taught and working alone, police say. They have also noted that he was a suspect in another data theft case two years ago, for which he was never charged.

Litmus Test

Think of this case as a litmus case for being able to stop what is often the least advanced type of attacker on the planet: a teenager who has sufficient time, inclination and sometimes, lack of moral judgment, to hammer away at an online target until they succeed.

Advanced Attackers Make Less Noise

How bad is the cybercrime problem? Last year, McAfee and the Center for Strategic and International Studies estimated "that cybercrime may now cost the world almost $600 billion, or 0.8 percent of global GDP."

Trying to quantify computer crime, however, suffers from this paradox: No one knows just how bad it is. Authorities say only a fraction of victims - individuals or businesses - report such crime to authorities (see: FBI to DDoS Victims: Please Come Forward).

Hence online crime defies easy quantification. While the FBI can count the number of bank robberies, likely very accurately, it relies on U.S. businesses that lose data or money due to hack attacks to self-report many such incidents, including the particulars of the crime. And that assumes that the business in question has even spotted the crime.

Lessons to Learn

Here's the right question for all public figures, politicians or celebrities to be asking right now: "Could I fall victim to any attacker who used the same tactics, and how do I protect myself?"

If so, the obvious next question is: "What should I do now to solve it?"

Authorities in Germany say they're crafting guidelines for their country's politicians in the wake of last month's mega-leaks.

Arguably, Germany's cybersecurity agency is already well behind the curve. "Why are standards agencies only now telling politicians and others how to protect their ID?" Woodward asks, noting that in the U.K., the National Cyber Security Center has long provided information security advice to lawmakers.

On the other hand, "I'm not entirely sure politicians listen to that advice, or even read it," he says.

Likewise, the 2014 dump of celebrities' nude photos, stolen from iOS device backups to iCloud should have served as a wake-up call to anyone with a public profile that any and all information they store in the cloud is at risk.

This plays to so many stereotypes I fear it will simply reinforce the public's view that nation states are not a threat but instead we should be worried about youths closeted in their parents' basement https://t.co/fCRdE2nof7

At least for politicians, "maybe the time has come to enforce 2FA," Woodward says, referring to two-factor authentication, which can block outright many types of account takeovers - even if users pick weak passwords - regardless of whether the attacker might be wearing a hoodie.

Because at the end of the day, it's never about your attacker's age, motivation or sartorial choices, but rather the strength of your defenses.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.eu, you agree to our use of cookies.